From cert-advisory@cert.org Fri Jul 12 05:19:26 2002
From: CERT Advisory
To: cert-advisory@cert.org
Date: Wed, 10 Jul 2002 21:34:28 -0400 (EDT)
Subject: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk
Original release date: July 10, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Systems running CDE ToolTalk
Overview
Two vulnerabilities have been discovered in the Common Desktop
Environment (CDE) ToolTalk RPC database server. The first
vulnerability could be used by a remote attacker to delete arbitrary
files, cause a denial of service, or possibly execute arbitrary code
or commands. The second vulnerability could allow a local attacker to
overwrite arbitrary files with contents of the attacker's choice.
I. Description
The Common Desktop Environment (CDE) is an integrated graphical user
interface that runs on UNIX and Linux operating systems. CDE ToolTalk
is a message brokering system that provides an architecture for
applications to communicate with each other across hosts and
platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. For more information
about CDE, see
http://www.opengroup.org/cde/
http://www.opengroup.org/desktop/faq/
This advisory addresses two new vulnerabilities in the CDE ToolTalk
RPC database server. These vulnerabilities are summarized below and
are described in further detail in their respective vulnerability
notes. A list previously documented problems in CDE can be found
Appendix B.
VU#975403 - Common Desktop Environment (CDE) ToolTalk RPC database
server (rpc.ttdbserverd) does not adequately validate file descriptor
argument to _TT_ISCLOSE()
The ToolTalk RPC database server does not validate the range of
an argument passed to the procedure _TT_ISCLOSE(). As a result,
certain locations in memory can be overwritten with zeros. For
more information, please see VU#975403:
http://www.kb.cert.org/vuls/id/975403
This vulnerability has been assigned CAN-2002-0677 by the
Common Vulnerabilities and Exposures (CVE) group.
VU#299816 - Common Desktop Environment (CDE) ToolTalk RPC database
server (rpc.ttdbserverd) does not adequately validate file operations
The ToolTalk RPC database server does not ensure that the
target of a file write operation is a valid file and not a
symbolic link. For more information, please see VU#299816:
http://www.kb.cert.org/vuls/id/299816
This vulnerability has been assigned CAN-2002-0678 by the
Common Vulnerabilities and Exposures (CVE) group.
II. Impact
VU#975403 - Common Desktop Environment (CDE) ToolTalk RPC database
server (rpc.ttdbserverd) does not adequately validate file descriptor
argument to _TT_ISCLOSE()
By issuing a specially crafted call to the procedure
_TT_ISCLOSE(), a remote attacker could overwrite certain
locations in memory with zeros. Using a combination of
techniques that include valid ToolTalk RPC requests, an
attacker could leverage this vulnerability to delete any file
that is accessible by the ToolTalk RPC database server. Since
the server typically runs with root privileges, any file on a
vulnerable system could be deleted. Overwriting memory or
deleting files could cause a denial of service. It may also be
possible to execute arbitrary code and commands.
VU#299816 - Common Desktop Environment (CDE) ToolTalk RPC database
server (rpc.ttdbserverd) does not adequately validate file operations
By referencing a specially crafted symbolic link in certain
ToolTalk RPC requests, a local attacker could overwrite any
file that is accessible by the the ToolTalk RPC database server
with contents of the attacker's choice. Since the server
typically runs with root privileges, any file on a vulnerable
system could be overwritten. Overwriting root-owned files could
lead to lead to privilege escalation or cause a denial of
service.
III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, we have not received their comments.
Please contact your vendor directly.
Disable vulnerable service
Until patches are available and can be applied, you may wish to
disable the ToolTalk RPC database service. As a best practice, the
CERT/CC recommends disabling all services that are not explicitly
required. On a typical CDE system, it should be possible to disable
rpc.ttdbserverd by commenting out the relevant entries in
/etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the
inetd process.
The program number for the ToolTalk RPC database server is 100083. If
references to 100083 or rpc.ttdbserverd appear in /etc/inetd.conf or
/etc/rpc or in output from the rpcinfo(1M) and ps(1) commands, then
the ToolTalk RPC database server may be running.
The following example was taken from a system running SunOS 5.8
(Solaris 8):
/etc/inetd.conf
...
#
# Sun ToolTalk Database Server
#
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd\
rpc.ttdbserverd (line wrapped)
...
# rpcinfo -p
program vers proto port service
...
100083 1 tcp 32773
...
# ps -ef
UID PID PPID C STIME TTY TIME CMD
...
root 355 164 0 19:31:27 ? 0:00 rpc.ttdbserverd
...
Before deciding to disable the ToolTalk RPC database server or the RPC
portmapper service, carefully consider your network configuration and
service requirements.
Block access to vulnerable service
Until patches are available and can be applied, you may wish to block
access to the ToolTalk RPC database server and possibly the RPC
portmapper service from untrusted networks such as the Internet. Use a
firewall or other packet-filtering technology to block the appropriate
network ports. The ToolTalk RPC database server may be configured to
use port 692/tcp or another port as indicated in output from the
rpcinfo(1M) command. In the example above, the ToolTalk RPC database
server is configured to use port 32773/tcp. The RPC portmapper service
typically runs on ports 111/tcp and 111/udp. Keep in mind that
blocking ports at a network perimeter does not protect the vulnerable
service from attacks that originate from the internal network.
Before deciding to block or restrict access to the ToolTalk RPC
database server or the RPC portmapper service, carefully consider your
network configuration and service requirements.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
Caldera, Inc.
Caldera Open UNIX and Caldera UnixWare provide the CDE
ttdbserverd daemon, and are vulnerable to these issues. We have
prepared fixes for those two operating systems, and will make
them available as soon as these issues are made public.
SCO OpenServer and Caldera OpenLinux do not provide CDE, and
are therefore not vulnerable.
Compaq Computer Corporation
SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary
of Hewlett-Packard Company and Hewlett-Packard Company HP
Services Software Security Response Team
CROSS REFERENCE: SSRT2251
At this time Compaq does have solutions in final testing and
will publish HP Tru64 UNIX security bulletin (SSRT2251) with
patch information as soon as testing has completed and kits are
available from the support ftp web site.
A recommended workaround however is to disable rpc.ttdbserver
until solutions are available. This should only create a
potential problem for public software packages applications
that use the RPC-based ToolTalk database server. This step
should be evaluated against the risks identified, your security
measures environment, and potential impact of other products
that may use the ToolTalk database server.
To disable rpc.ttdbserverd:
+ Comment out the following line in /etc/inetd.conf:
rpc.ttdbserverd stream tcp swait root
/usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd (line wrapped)
+ Force inetd to re-read the configuration file by executing
the inetd -h command.
Note: The internet daemon should kill the currently running
rpc.ttdbserver. If not, manually kill any existing
rpc.ttdbserverd process.
Cray, Inc.
Cray, Inc. does include ToolTalk within the CrayTools product.
However, rpc.ttdbserverd is not turned on or used by any Cray
provided application. Since a site may have turned this on for
their own use, they can always remove the binary
/opt/ctl/bin/rpc.ttdbserverd if they are concerned.
Fujitsu
Fujitsu's UXP/V operating system is affected by the
vulnerability reported in VU#975403 [or VU#299816] because
UXP/V does not support any CDE functionalties.
Hewlett-Packard Company
HP9000 Series 700/800 running HP-UX releases 10.10, 10.20,
11.00, and 11.11 are vulnerable.
Until patches are available, install the appropriate file to
replace rpc.ttdbserver.
Download rpc.ttdbserver.tar.gz from the ftp site. This file is
temporary and will be deleted when patches are available from
the standard HP web sites, including itrc.hp.com.
System: hprc.external.hp.com (192.170.19.51)
Login: ttdb1
Password: ttdb1
FTP Access: ftp://ttdb1:ttdb1@hprc.external.hp.com/
ftp://ttdb1:ttdb1@192.170.19.51/
File: rpc.ttdbserver.tar.gz
MD5: da1be3aaf70d0e2393bd9a03feaf4b1d
An HP security bulletin will be released with more information.
IBM Corporation
The CDE desktop product shipped with AIX is vulnerable to both
the issues detailed above in the advisory. This affects AIX
releases 4.3.3 and 5.1.0 An efix package will be available
shortly from the IBM software ftp site. The efix packages can
be downloaded from ftp.software.ibm.com/aix/efixes/security.
This directory contains a README file that gives further
details on the efix packages.
The following APARs will be available in the near future:
AIX 4.3.3: IY32368
AIX 5.1.0: IY32370
SGI
SGI acknowledges the ToolTalk vulnerabilities reported by CERT
and is currently investigating. No further information is
available at this time.
For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation
has occurred and any necessary patch(es) or release streams are
available for all vulnerable and supported IRIX operating
systems. Until SGI has more definitive information to provide,
customers are encouraged to assume all security vulnerabilities
as exploitable and take appropriate steps according to local
site security policies and requirements. As further information
becomes available, additional advisories will be issued via the
normal SGI security information distribution methods including
the wiretap mailing list on
http://www.sgi.com/support/security/.
Sun Microsystems, Inc.
The Solaris RPC-based ToolTalk database server, rpc.ttdbserver,
is vulnerable to the two vulnerabilities [VU#975403 VU#299816]
described in this advisory in all currently supported versions
of Solaris:
Solaris 2.5.1, 2.6, 7, 8, and 9
Patches are being generated for all of the above releases. Sun
will publish a Sun Security Bulletin and a Sun Alert for this
issue. The Sun Alert will be available from:
http://sunsolve.sun.com
The patches will be available from:
http://sunsolve.sun.com/securitypatch
Sun Security Bulletins are available from:
http://sunsolve.sun.com/security
Xi Graphics
Xi Graphics deXtop CDE v2.1 is vulnerable to this attack. When
announced, the update and accompanying text file will be:
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.\
gz (line wrapped)
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt
Most sites do not need to use the ToolTalk server daemon. Xi
Graphics Security recommends that non-essential services are
never enabled. To disable the ToolTalk server on your system,
edit /etc/inetd.conf and comment out, or remove, the
'rpc.ttdbserver' line. Then, either restart inetd, or reboot
your machine.
Appendix B. - References
* http://www.opengroup.org/cde/
* http://www.opengroup.org/desktop/faq/
* http://www.cert.org/advisories/CA-2002-01.html
* http://www.cert.org/advisories/CA-2001-31.html
* http://www.kb.cert.org/vuls/id/172583
* http://www.cert.org/advisories/CA-2001-27.html
* http://www.kb.cert.org/vuls/id/595507
* http://www.kb.cert.org/vuls/id/860296
* http://www.cert.org/advisories/CA-1999-11.html
* http://www.cert.org/advisories/CA-1998-11.html
* http://www.cert.org/advisories/CA-1998-02.html
_________________________________________________________________
The CERT Coordination Center thanks the reporters, Iván Arce and
Ricardo Quesada of CORE SECURITY TECHNOLOGIES, for their assistance
and cooperation in producing this document.
_________________________________________________________________
Author: Art Manion
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2002-20.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
July 10, 2002: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPSzfNKCVPMXQI2HJAQGb3AP9Fh4bIxXmwBxxhlcJc+OCvbwWAcOYhO4X
ymhM/lO/3MvlBof2iANKGAgC0+DNGg+NTHuvpFnfCDdyUR6teiPfxBxJZWTLrPGQ
bWmYzgs3A+K1Tl+b0wMbLm0BuizzCyoKegTUQ8Qygt4kWQ26NEMMoeE/XCtID0LX
L5PLJReDnJY=
=sjVU
-----END PGP SIGNATURE-----